Apparently I was using spring security 3.1.4.RELEASE. here you have do this manually. Then I changed it to 3.2.2.RELEASEand then I just had to use

显然我正在使用 spring security 3.1.4.RELEASE。在这里，您可以手动执行此操作。然后我将其更改为3.2.2.RELEASE然后我只需要使用

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />

Refer this link to see whats new in spring security 3.2

请参阅此链接以查看 Spring Security 3.2 的新功能

http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#new

http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#new

Be careful, when you change from 3.1.4.RELEASE to 3.2.2.RELEASE, there are lot of confusing re factorings to do. Specially in web.xmland spring-security.xmlfiles

请注意，当您从 3.1.4.RELEASE 更改为 3.2.2.RELEASE 时，需要进行很多令人困惑的重构。特别是在web.xml和spring-security.xml文件中

OWASP Enterprise Security APIhas a very good option offering solid protection against CSRF. CSRF is actually pretty easy to solve. OWASP ESAPI provides the specifications to implement CSRF protection as below.

OWASP Enterprise Security API有一个很好的选择，可以提供针对 CSRF 的可靠保护。CSRF实际上很容易解决。OWASP ESAPI 提供了实现 CSRF 保护的规范如下。

1. Generate new CSRF token and add it to user once on login and store user in http session.

1. 生成新的 CSRF 令牌并在登录时将其添加到用户并将用户存储在 http 会话中。

This is done in the default ESAPI implementation, and it is stored as a member variable of the Userobject that gets stored in the session.

这是在默认的 ESAPI 实现中完成的，它作为User对象的成员变量存储在session.

/this code is in the DefaultUser implementation of ESAPI
/** This user's CSRF token. */
private String csrfToken = resetCSRFToken();
...
public String resetCSRFToken() {
    csrfToken = ESAPI.randomizer().getRandomString(8, DefaultEncoder.CHAR_ALPHANUMERICS);
    return csrfToken;
}

2. On any forms or urls that should be protected, add the token as a parameter / hidden field.

2. 在任何应该保护的表单或 url 上，添加令牌作为参数/隐藏字段。

The addCSRFTokenmethod below should be called for any url that is going to be rendered that needs CSRF protection. Alternatively if you are creating a form, or have another technique of rendering URLs (like c:url), then be sure to add a parameter or hidden field with the name "ctoken" and the value of DefaultHTTPUtilities.getCSRFToken().

在addCSRFToken下面的方法应该被称为为将要呈现的是需要CSRF保护的任何URL。或者，如果您正在创建表单，或使用其他呈现 URL 的技术（如c:url），请确保添加名称为“ ctoken”且值为 的参数或隐藏字段DefaultHTTPUtilities.getCSRFToken()。

//from HTTPUtilitiles interface
final static String CSRF_TOKEN_NAME = "ctoken";
//this code is from the DefaultHTTPUtilities implementation in ESAPI
public String addCSRFToken(String href) {
    User user = ESAPI.authenticator().getCurrentUser();
    if (user.isAnonymous()) {
        return href;
    }
    // if there are already parameters append with &, otherwise append with ?
    String token = CSRF_TOKEN_NAME + "=" + user.getCSRFToken();
    return href.indexOf( '?') != -1 ? href + "&" + token : href + "?" + token;
}
...
public String getCSRFToken() {
    User user = ESAPI.authenticator().getCurrentUser();
    if (user == null) return null;
    return user.getCSRFToken();
}

3. On the server side for those protected actions, check that the submitted token matches the token from the user object in the session.

3. 在这些受保护操作的服务器端，检查提交的令牌是否与会话中用户对象的令牌匹配。

Ensure that you call this method from your servletor springaction or jsfcontroller, or whatever server side mechanism you're using to handle requests. This should be called on any request that you need to validate for CSRF protection. Notice that when the tokens do not match, it's considered a possible forged request.

确保您从您的servlet或spring操作或jsf控制器或您用于处理请求的任何服务器端机制调用此方法。这应该在您需要验证 CSRF 保护的任何请求上调用。请注意，当令牌不匹配时，它被视为可能的伪造请求。

//this code is from the DefaultHTTPUtilities implementation in ESAPI
public void verifyCSRFToken(HttpServletRequest request) throws IntrusionException {
    User user = ESAPI.authenticator().getCurrentUser();
    // check if user authenticated with this request - no CSRF protection required
    if( request.getAttribute(user.getCSRFToken()) != null ) {
        return;
    }
    String token = request.getParameter(CSRF_TOKEN_NAME);
    if ( !user.getCSRFToken().equals( token ) ) {
        throw new IntrusionException("Authentication failed", "Possibly forged HTTP request without proper CSRF token detected");
    }
}

4. On logout and session timeout, the user object is removed from the session and the session destroyed.

4. 在注销和会话超时时，从会话中删除用户对象并销毁会话。

In this step, logout is called. When that happens, note that the session is invalidated and the current user object is reset to be an anonymous user, thereby removing the reference to the current user and accordingly the csrf token.

在这一步中，logout 被调用。发生这种情况时，请注意会话无效并且当前用户对象被重置为匿名用户，从而删除对当前用户的引用以及相应的 csrf 令牌。

//this code is in the DefaultUser implementation of ESAPI
public void logout() {
    ESAPI.httpUtilities().killCookie( ESAPI.currentRequest(), ESAPI.currentResponse(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME );
    HttpSession session = ESAPI.currentRequest().getSession(false);
    if (session != null) {
        removeSession(session);
        session.invalidate();
    }
    ESAPI.httpUtilities().killCookie(ESAPI.currentRequest(), ESAPI.currentResponse(), "JSESSIONID");
    loggedIn = false;
    logger.info(Logger.SECURITY_SUCCESS, "Logout successful" );
    ESAPI.authenticator().setCurrentUser(User.ANONYMOUS);
}

Source: http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/

资料来源：http: //www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/

Hope this helps you out.

希望这可以帮助你。

Shishir

石狮